Release of Exponential 6.0.13 (From 7x)

Official stable release of Exponential 6.0.13 (Stable).

Release date: 2026.04.20.

What's Changed / What's New (Since Exponential 6.0.12)

The main themes of this release are Security Hardening, PHP 8 Compatibility Fixes, SQLite3 Driver Improvements, New Template String Operators, and an upgraded PHPUnit v13 Test Suite.

Download Release: se7enxweb/exponential/releases/tag/v6.0.13

Changelog Details

• Security Fixes (Critical — PR #60: security-hardening-exp-6013)

  * SEC [SEC-01..06]: Fix SQL injection and OS shell injection — 4 files patched, 6 attack surfaces closed. Parameterised queries and shell-argument escaping applied to previously vulnerable call sites.

• * FIX [UND-01..03, LOG-01..02, NUL-01..13, PRG-01]: Null/undefined guards and logic corrections — 12 files hardened against undefined-variable and null-dereference conditions that could lead to information disclosure or logic-bypass under PHP 8.

• * PHP84 [PHP-01..03, NUL-04..05]: PHP 8.4 deprecation fixes + order null guards — 2 files updated to resolve deprecation warnings introduced in PHP 8.4.

• * FIX [IMP-01..02, SET-01..06, KNT-01..12]: SOAP stubs, setup wizard guards, kernel/content null safety — 20 files updated; covers SOAP response stubs, setup-wizard input validation, and kernel/content-object null-safety checks.

• Session / PHP 8 Compatibility

  * fix(ezsession): PHP 8 compat — read() now returns '' (empty string) instead of false; gc() correctly uses time() + gcStartTime for session lifetime calculation. Eliminates type-error fatals on PHP 8.

• * fix(ezsession): PHP 8 — guard $GLOBALS['eZCurrentAccess'] before access — prevents undefined-index warnings / fatals when the global is not yet initialised during early-bootstrap session handling.

• SQLite3 Driver Improvements

  * SQLite3: register eZSQLite3DB autoload + support absolute DB path — The SQLite3 database driver now registers its autoload entry correctly and accepts an absolute filesystem path for the database file, enabling use outside the default var/ tree.

• * fix(sqlite3): use recursive mkdir when creating SQLite3 DB directory — Prevents a fatal error when intermediate directories do not exist on first-run installations.

• New Template Operators (Feature)

  * Added: rstring, ristring, and many other PHP string operators as template operators — A broad set of PHP string-manipulation functions (rstring, ristring, str_pad, wordwrap, chunk_split, str_word_count, number_format, sprintf wrappers, and more) are now available directly inside Exponential templates. Feature Addition.

• PHPUnit / Test Suite Upgrades (PR #61: upgrade-phpunit-tests-to-phpunit10)

  * TEST [PHPUnit-10, SEC-01..06]: Add PHPUnit 10 test infrastructure and security hardening suite — 6 new test files covering the SEC-01..06 attack surfaces closed in this release.

• * Updated: Upgraded PHPUnit test suite support to v13 — phpunit.xml and test bootstrap updated for PHPUnit 13 compatibility.

• * Updated: Version bump for PHPUnit to avoid composer security advisory — Resolves a composer installation warning/block caused by a published security advisory against the previously pinned PHPUnit version.

• Documentation

  * DOC [SEC-01..06, NUL-01..14, PHP-01..03, UND-01..03, LOG-01..02, SET-01..06, KNT-01..12, IMP-01..02, PRG-01]: Add security hardening reference — hardening.md (1,176 lines) documents every patch reference code, the vulnerability class, affected file(s), and the fix applied.

• * DOC: Add PHPUnit 3.7→10 migration guide — doc/phpunitv10.md added as a developer reference for upgrading legacy test suites.

• * DOC: Document PHP version compatibility — Explicit statement that the 6.0.13 patch set does not raise the minimum PHP version requirement.

• * Updated: README — Distribution count updated, Exponential Platform / Nexus version details added, issue tracker links revised, Telegram community link fixed.

• Infrastructure / Project

  * chore: add GitHub Sponsors funding metadata — .github/FUNDING.yml added to enable sponsorship via GitHub Sponsors.

• * Updated: .htaccess_root rebranding — Comments inside the example root .htaccess configuration file updated to reflect current Exponential branding.

• * Updated: Patched a fatal flaw in the client calling API for curl requests — Curl client wrapper corrected; tested as working. Bugfix.

• Notable Changes (Since eZ Publish 5)

  * Refer to prior release notes for the full historical feature list. Key milestones still included in this build:

• * Security: 6 SQL-injection / OS-shell-injection attack surfaces closed (this release)

• * PHP 8.4 / 8.5 support (ongoing since 6.0.8)

• * SQLite3 database driver (new this release)

• * PHPUnit 13 test suite (new this release)

• * REST API v2 (CRUD) support (since 6.0.9)

• * PostgreSQL 17 setup-wizard support (since 6.0.10)

• * Admin3 responsive admin design

• * Multi-site INI override and cache-handling improvements (since 6.0.12)

• * has_role / has_policy template & PHP operators (since 6.0.12)

• Contributors: 7x, Graham Brookins, CJW Network